[Freeipa-devel] Re: Certificate enrollment, principal names

Dmitri Pal dpal at redhat.com
Thu Nov 5 18:36:35 UTC 2009 

>> Ok so here are the questions I have:
>>
>> We send the CSR from cermonger and the principal name separately. Is
>> this a right approach?
>> Do we send the principal in case admin requests a cert for someone using
>> main CLI. I hope not.
>> Does that mean that server already knows how to dig into the CSR and get
>> the principal out of it?
>> Why we can't reuse same approach then?
>>
>> The more I think about the difference between the admin+CLI use case vs
>> cermonger use case
>> the more I come to conclusion that they should have a lot in common.
>> I.e:
>>
>> a) Server side part of the XML RPC is probably same
>> b) The permissions are checked on the ACI basis so interface and XML-RPC
>> code does not know anything about that part at all.
>> c) Logic of the client is pretty same. The only main difference it seems
>> that certmonger is a C application
>> and admin CLI is python but they should do pretty much same thing:
>> * create CSR
>> * send it to the server
>> * when server responds, process the result (save cert to the file or NSS
>> database or just spit out as based 64 encoded string).
>>  
>> Am I oversimplifying things and there is really something different on
>> the server side between processing certmonger's cert
>> request vs processing CLI request initiated by admin?
>>
>
> This is about right. What you're missing is storing the certificate in
> the service record. To do this we need to know what the target is.
>
Yes but it should not be any different. Service principal is just a part
of the request and certmonger client can be configured to provide
service principal too.
So the code on the server should be pretty generic and be able to serve
both implementations of clients. It is just that for the CLI case
the service target is likely to be provided while for certmonger the
service target  most like likely is not provided.
If it is not provided target defaults to the host principal provided.


> Nalin and I simply took two different approaches to sending this. We
> can easily support either method by making the principal an optional
> attribute and looking for it in the CSR if not provided (assuming I
> can get my head around PKCS#10 enough to grab attributes).

I hope this can be reconciled.

>
> rob


-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list